Australia's latest draft of legislation that would enable law enforcement access to encrypted communications is still far too secretive and imperils privacy and security, technology companies and civil liberties organizations contend.

Like the U.S. and U.K., Australia contends that encrypted communications are hampering law enforcement and national security investigations. Last year, the government marshalled support among it allies for new laws that would compel communications providers to unlock encrypted content (see Australia Pushes 'Five Eyes' for Tools to Counter Encryption).

The Australian government has strenuously denied it was seeking to force companies to install "backdoors," or surreptitious access methods. But encryption experts and technologists have argued that the government's position is more of a misleading semantics game and that any such access technique would increase security risks.

On Thursday, a coalition of 25 civil society organizations and 13 technology companies jointly filed comments on the latest draft of the bill.

The coalition says that while some of the provisions of the draft bill are "commendable," the proposed legislation nonetheless "poses serious threats to cybersecurity, privacy and freedom of expression." In a separate filing on Friday, Cisco suggests that other countries with fewer bounds on executive power will take cues from Australia's moves.

"Without further amendment, we believe the net result of these changes would harm of the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco writes.

The legislation, however, has robust support from police and government.

"Secure, encrypted communications are being used by terrorist groups and organized criminals to avoid detection and disruption," the Department of Home Affairs writes in a submission. "Over 90 percent of telecommunications information being lawfully intercepted by the Australian Federal Police now uses some form of encryption."

Tech Companies on Notice

The legislation would allow for the government to issue three kinds of notices: voluntary technical assistance notices, technical assistance notices and technical capability notices.

It's the technical capability notice that is causing the most concern. An organization receiving that kind of notice would be compelled to building a new capability to give assistance to the government. The government maintains that this kind of order does not mean a company is compelled to remove encryption if it is not possible to do so.

The bill further says that the government cannot order an organization to build a systemic weakness or vulnerability into its service. But the coalition says that "other sections of the bill undermine the safeguards provided by this language."

Apple's submission to the parliamentary committee

In addition to joining the coalition, Apple submitted separate comments on Friday. The scope of the bill, it contends, would appear to allow for actions such as preventing certain users from receiving security updates.

"We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products," Apple writes. "Due to the breadth and vagueness of the bill's authorities, coupled with ill-defined restrictions, that commitment is not currently being met."

FBI-Apple Redux?

Apple, which fought a high-profile battle with the FBI over access to an iPhone used by one of the shooters in an incident in San Bernardino, California, contends that it's not possible to only grant special access to encrypted data to law enforcement without broader risk.

"That is a false premise," Apple writes. "Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone."

Indeed, the coalition contends in its submission that the proposed Australian legislation "also appears to permit the type of demand" that the FBI made of Apple

The FBI successfully gained a court order that compelled Apple to create a special version of its iOS mobile operating system that would remove certain security protections. Apple fought the order, and the FBI later dropped its legal action after finding another way to unlock the device.

Apple Says Secrecy Requirements 'Stifling'

Australia's proposed legislation is somewhat modeled on the U.K.'s Investigatory Powers Act, which similarly empowers the government to require cooperation of organizations in accessing locked data. The U.K., however, requires that Judicial Commissioners review proposed technical capability notices prior to issuance (see British Home Secretary Demands Backdoored Communications).

The coalition, and Apple in a separate filing, noted that the Australian plan would leave the attorney general with the sole power to determine if a technical capability notice should be carried out.

The revised bill, however would allow an organization to jointly examine with the attorney general whether a technical capability notice would, say, violate the prohibition on creating systemic weaknesses in products. But the coalition contends the bill wouldn't allow for "adequate oversight" of either a technical assistance notice or technical capability notice either before or after the government issues one.

"Given the breadth and power of the new authorities that would be created by the bill, it is critical that the law provides for robust oversight of authorizing agencies to ensure accountability," the coalition says.

Under the proposed law, organizations would be allowed to release statistics twice a year on the type of received requests. But there would be strict penalties for disclosing a specific request, with a maximum sentence of five years in prison.

Apple calls the secrecy requirement "stifling," suggesting that it could prevent legitimate whistleblowing.

"For instance, if an engineer working for a provider tasked with complying with a TCN [technical capability notice] had a legitimate legal or ethical concern, they could be imprisoned for five years for merely disclosing the fact of a TCN to his or her employer's human resources office," Apple writes. "Similarly, an employee of a provider who legitimately believed a TAN [technical assistance notice] or TCN violated the law, could not disclose that concern for fear of punishment."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.